Time is running out: get your cookie policy right

Yet again I am sitting here writing another post about cookies, when I’d much prefer to be out eating some. I think that this will eventually get me down to the point where I will just flop on my keyboard and the post will just a be a garble based on what my ear lands on and where I dribble. But we should at least try and look at this in an objective manner, because the ICO has been issuing more guidelines this week on what we should be doing to comply with the cookie laws that the UK has been handed by the EU.

This report is to be read alongside an updated version of our advice (the earlier version was published in May this year).

You can find the report linked to in the report by Christopher, but the long and the short of it is that this is regulation already and having a 12 month window until May 2012 doesn’t mean you can just ignore it an it will go away. Six months in, he says:

The report can be summed up by the schoolteacher’s favourite clichés: “could do better” and “must try harder”. A report that listed the URLs of sites that were perfectly compliant from day one would be very short indeed.

So you don’t have to read it, I’ll help you with some of the summaries. Dave Chaffey over at Smarter Insights has a very useful piece showing what he thinks will be allowed and what won’t be allowed under the new legislation. The long and short of it is that things that won’t be exempt:

Analytics cookies – you will have to ask users if they want to opt in (don’t forget that the ICO saw a 90% drop in their traffic when they implemented theirs).

First and third party advertising cookies – you will have to ask users to opt in to your advertisers if they do any tracking of their ads (or somehow get them to in ad).

Affiliate cookies – you will have to ask users before putting these on their computers

Of course this is all a bit ridiculous because of the following situation. You visit Facebook and get a cookie when you log in. This cookie follows you around the web when you look at a page with a ‘like’ button. You’ve already accepted it, so there is no reason for them to prompt you to accept again. Facebook can continue providing all the tailored adverts that they like. Even if you log out, you still have the cookie.

This is of course true for Google, Microsoft, Yahoo!, etc. So anyone who issues a first party cookie on their site when you log in to one of their services suddenly has a massive advantage in providing tailored content. Your Publishers will just switch to these companies and the users will be no better off.

The key point is not who obtains the consent but that valid, well informed consent is obtained.

The report also doesn’t state where the users should get consent – presumably that is at the point of setting, not the point of accessing (otherwise you’d have to get consent on every single page, which would be a nightmare for website and user):

An organisation with several connected websites could in theory obtain consent for cookies set on each site in one place, for example when the user logged in on one site. In order for this consent to be valid it would have to be absolutely clear which websites the cookies in question were set on, what those cookies were used for and exactly what the user was agreeing to.

So the point of the process is twofold. Firstly you should aim to give users more information about cookies and this seems obvious. Privacy policies have long been vehicles to get you out of trouble legally, rather than to inform users. Creating a page about cookies and how you user them would seem a simple task, as would making it prominent on the page.

However I disagree with the assertions of the document. Even if it is more prominent on the page, it doesn’t mean that people are more likely to read it, especially given their four solutions:

For those of you who can’t read that – they suggest you make it a different colour or give it a different name, but effectively keep it hidden out of the way.

So lets look at the techniques for getting opt in consent that they suggest:

Pop ups and similar techniques (such as message bars and splash pages)

You’ll be reminded, of course, that the ICO itself uses this method on their website – their is a little message bar at the top of the page:

This was so successful that 10% of the visits actually signed up to it.

Personally if I was going to suggest one of these, I would go with the splash page. Many advertisers do it and actually it would be a relatively simple implementation. You could add a bit of JavaScript to the bottom of the page that would load on the first page view to cover the whole screen and invite the user to accept cookies.

Get Consent when the User Signs Up or Buys

This of course seems a bit late in the process. You’ve already lost your users information about how they got to the site, what caused them to sign up, or buy. You won’t be able to make any marketing decisions about this user from how they got to the site. You’re adwords data is effectively useless now because you don’t know what the return on investment is (unless of course you’ve got a Google Conversion tag on your conversion page, the user already having signed up to Google’s cookies just by viewing Google).

Settings Led Consent

For websites where the user can make some settings that personalise the website for them, this is an option. When the user says “I live in London” you can tell them that to remember this, you are going to store it in a cookie and that you are also going to use the cookie to track the user across the website to make it easier for them to use.

It’s interesting to note that the ICO has repeatedly responded to arguments that this isn’t practical:

People say this law just isn’t practical – what happens if I do nothing and wait for it all to go away?This isn’t going away. It’s the law. The UK Regulations come from a European Directive that was passed in 2009. The requirements cannot easily be changed and cannot just be ignored. Many organisations are making a lot of effort to comply. The Information Commissioner has been clear that he will take a practical and proportionate approach to enforcing these rules where organisations are making the effort to comply.

Personally I see only three options for you and your website:

A Splash screen asking the users to accept cookies. I don’t see this as a good option for users or website owners: users universally hate splash pages and won’t know the difference between this and an advert.